In early 2020, when a manager in a bank in Hong Kong received a phone call from a director of a company he knew (1), asking him to transfer some USD 35 million from his company’s account to various beneficiaries, he never could have imagined he was being duped. To add to the phone call, the manager received emails from the director and a lawyer purportedly appointed by the director to oversee the transfer operations. Satisfied with the authenticity of the requests, the bank manager began executing the transfers, little knowing he was amongst the earliest victims of an impersonation that used ‘deep voice’ technology to clone the speech of the director – something that was only thought to be possible in the movies.
Deemed the latest technique in a long line of methodologies used by bad actors to prey on unsuspecting victims, audio and visual deep fakes have taken social engineering to another level altogether.
What it is
Forbes (3) defines Social Engineering as the use of a psychological approach/technique to gain the trust of an unwitting user with a view to exfiltrating important personal or corporate confidential information for fraudulent purposes. Kaspersky (4) attributes scams based on it to being built around how people think and act. They attempt to manipulate a user’s behavior, once the hacker understands what motivates his actions. Very often they prey on users’ lack of knowledge of either the importance of key personal data or the technical implications of acting on suspicious links and resultant malware.
It’s down to manipulation
Social Engineering gets its name from what it does – namely tricking individuals into revealing sensitive information about themselves or their organizations or taking actions that will compromise their security or assets. Grounded in the science of human behavior, psychology, and motivation, Social Engineering tactics are structured to psychologically manipulate victims’ emotions into acting in a manner detrimental to their interests.
Bad actors prey on human behavioral tendencies (2) to react to :
- Greed – as in the case of sensational ‘not-to-be-missed’ offers or going back in time, to the still-successful Nigerian royalty scam that offers huge financial returns in exchange for personal bank details and other confidential information
- Curiosity – as in the case of emails and posts offering new products, while soliciting responses via a fraudulent link or website
- Requests for help – as in the case of requests from impersonated sources, seeking help in the form of surveys and opinions
- Situations that trigger fear and a sense of urgency – as in the case of fictitious emails of the kind informing users their online transactions have not been approved or their passwords and accounts have been compromised
- Authority – as in the case of communications from a bad actor posing as a governmental agency, celebrity, or a religious entity
- Trusted and regularly-used brands – as in the case of bad actors securing confidential information by impersonating brands patronized by users, without giving a thought to their authenticity
How it is orchestrated
The process starts with the cybercriminal identifying target individuals or groups, and then initiating communication with the target to build trust.
The typical cycle involves:
- Gathering background of the intended victim, including interest areas that can serve as entry points for the attack. The threat actor obtains this background information via illegitimate sources or from the social media footprint of the intended victim
- Winning the victim’s trust by establishing a relationship
- Exploiting the victim by advancing the attack using social engineering tactics such as phishing, baiting etc
- Disengaging once the victim has taken the desired action
Methods and tactics used
Social Engineering attacks generally take the following form.
Phishing deploys fake emails to trick individuals into revealing confidential information such as usernames, passwords, and credit card numbers. Appearing to be from authentic sources, they typically coax the victim to visit a fraudulent site that captures the confidential information and allows the cybercriminal to act on the stolen information.
- Spam phishing – widespread attacks aimed at multiple users, they generally take the form of mass emails with links to fraudulent sites
- Spear phishing/whaling – targets high-value targets like government officials, celebrities etc
- Voice phishing (vishing) phone calls – automated calls that record users’ inputs
- SMS phishing (smishing) texts – generally taking the form of mass messages with a link to a phone number or website
- Angler phishing – takes place on social media, where an attacker imitates a trusted company’s customer service team, luring the user to respond
- Search engine phishing – fraudulent use of SEO by leveraging fake websites with malicious links into top-ranked search results
- Website URL phishing – emails, texts, social media messages, and online ads that lead unsuspecting users to phishing sites
- In-session phishing – fake login prompts that pop up in the course of users’ normal web browsing
Baiting typically takes the form of communication that tempts the user into availing of a freebie or a ‘once-in-a-lifetime’ offer. Most common among these are offers of free downloads, free gifts, and rewards, and at times, hoax messages of infections in users’ systems (also referred to as Scareware attacks).
These attacks involve attackers appearing in person, using a false identity, and posing as someone legitimate to gain access to otherwise unauthorized areas or sensitive information. These may include government officials, revenue officials, and IT technicians.
Quid Pro Quo Attacks
Quid pro quo is a term roughly meaning “a favor for a favor,” which in the context of Social Engineering represents an exchange of your personal info for some reward in the form of a giveaway or compensation. A ready example of this is the offer to participate in research work.
DNS Spoofing and Cache Poisoning Attacks
DNS spoofing manipulates users’ browsers to reroute users to malicious websites when even legitimate URLs are entered.
Watering Hole Attacks
Watering hole attacks are infections introduced in popular sites to impact multiple users. Termed Zero-day exploits, the attack involves the attacker identifying and exploiting unpatched vulnerabilities in sites. The 2022 Twitter hack is an example of a watering hole/zero-day attack.
Tailgating is a social engineering tactic that involves gaining unlawful entry to a restricted area or network. Also called ‘piggybacking’, tailgating could be termed the oldest method of infiltration, where a cybercriminal may follow an employee into a secure area or use a stolen security badge to gain access to a building. Once inside, they steal sensitive information or install malware.
The advent of AI has proved a haven for the cybercriminal. Using the power of Artificial Intelligence, bad actors are now automating their attacks and making them more effective. Deepfakes generated via AI manipulate images, videos, and audio to clone identities of persons in positions of responsibility, and trick users into revealing sensitive information or into acting in a manner that compromises their security. The Hongkong bank scam is a classic case of scamsters using AI to orchestrate an attack.
Also at play are Chatbots which are automated programs that convincingly mimic human conversation, and prompt responses involving confidential information from unwitting users.
Keeping the attacks at bay
Since they exploit human psychology to a far greater extent than technological means, Social engineering attacks are relatively difficult to prevent. In the digital world, their nature makes them immensely scalable – offering bad actors the scope of compromising a single victim, or in the case of mass attacks, the integrity of entire organizations. Today experts suggest a combination of the following to mitigate the risks and success of attacks (2).
- Security awareness training, including training to recognize potential scams and curb tendencies to respond to phishing offers
- SOC control policies in the form of Multi-Factor Authentication (MFA) and a Zero-trust security approach (5)
- Cybersecurity technologies like EDR (6) and XDR (7) to enable SOCs to quickly act on identifying threats and neutralizing them
- Use of AI to detect suspicious patterns and anomalies that might point to a potential attack before it materializes. Experts are recommending the use of AI itself to negate AI-generated threats – of the kind that use AI voice technologies (1) like Aflorithmic, Respeecher, and Resemble – something akin to fighting fire with fire
From the time of the iconic apple in the Garden of Eden to modern times, human beings have been known to respond undesirably in the face of different emotional stimuli. It can therefore be comfortably stated that it is almost next to impossible to totally eliminate Social Engineering as a cybersecurity threat. Perhaps a good suggestion – besides deploying the measures previously mentioned – would be to stringently inculcate the 10-second rule amongst users. That way user actions will not be made unwittingly and in haste – the bedrock on which Social Engineering tactics are based and thrive!
- Fraudsters Cloned Company Director’s Voice In $35 Million Bank Heist, Police Find (forbes.com)
- What is Social Engineering? | IBM
- Social Engineering Threats And Mitigation (forbes.com)
- What is Social Engineering? | Definition (kaspersky.co.in)